I have ubuntu server on digitalocean and I want to give someone a folder for their domain on my server, my problem is, I don’t want that user to see my folders or files or to be able to move out their folder.
How can I restrict this user in their folder and not allow to him to move out and see other files/directories ?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
I solved my problem by this way:
Create a new group
$ sudo addgroup exchangefiles
Create the chroot directory
$ sudo mkdir /var/www/GroupFolder/ $ sudo chmod g+rx /var/www/GroupFolder/
Create the group-writable directory
$ sudo mkdir -p /var/www/GroupFolder/files/ $ sudo chmod g+rwx /var/www/GroupFolder/files/
Give them both to the new group
$ sudo chgrp -R exchangefiles /var/www/GroupFolder/
after that I went to /etc/ssh/sshd_config and added to the end of the file:
Match Group exchangefiles # Force the connection to use SFTP and chroot to the required directory. ForceCommand internal-sftp ChrootDirectory /var/www/GroupFolder/ # Disable tunneling, authentication agent, TCP and X11 forwarding. PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
Now I’m going to add new user with obama name to my group:
$ sudo adduser --ingroup exchangefiles obama
Now everything is done, so we need to restart the ssh service:
$ sudo service ssh restart
notice: the user now can’t do any thing out file directory
I mean all his file must be in file Folder.
Method 2
Restrictions are a sensible issue, and it must be defined consistently. What you can do is to define a restricted shell for the user as his default shell.
For example, setting /bin/rksh (a restricted kornshell) instead of the user’s predefined shell as the default shell for that user in /etc/profile.
NOTE: if the executable with this name is not existing on your system then create a hard link ln /bin/ksh /bin/rksh and ksh will determine by its name whether it’s restricted or not.
The restricted shell will (for example) prevent doing a cd command, or specifying a command with a / (an explicit path) in the invocation, and it disallows changing the PATH, SHELL, or ENV variable, and output redirections are also prohibited.
You can still provide predefined shell scripts to the user that will (under the script implementors control!) allow the user to run that specific script(s) in an unrestricted environment.
Method 3
The command chroot allows you to create a restricted root for a user, this question explains the concept of chroot and how to use it.
Update: Searching for chroot jail set up on digital ocean, brings up further documentation specific to their environment.
Here’s a couple which I think are related to what you might need.
How To Configure Chroot Environments for Testing on an Ubuntu 12.04 VPS
How to allow restriced SSH access to chroot jailed user
Here’s one which relates to jailkit, which FloHimself suggested.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0